diff --git a/openssl-1.1.1-krb5-kdf.patch b/openssl-1.1.1-krb5-kdf.patch new file mode 100644 index 0000000..5bf33f6 --- /dev/null +++ b/openssl-1.1.1-krb5-kdf.patch @@ -0,0 +1,1254 @@ +diff -up openssl-1.1.1d/crypto/err/openssl.txt.krb5-kdf openssl-1.1.1d/crypto/err/openssl.txt +--- openssl-1.1.1d/crypto/err/openssl.txt.krb5-kdf 2019-11-12 13:30:36.261748973 +0100 ++++ openssl-1.1.1d/crypto/err/openssl.txt 2019-11-12 13:30:36.283748577 +0100 +@@ -821,6 +821,11 @@ EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_g + EVP_F_SCRYPT_ALG:228:scrypt_alg + EVP_F_UPDATE:173:update + KDF_F_HKDF_EXTRACT:112:HKDF_Extract ++KDF_F_KBKDF_CTRL:134:kbkdf_ctrl ++KDF_F_KBKDF_CTRL_STR:135:kbkdf_ctrl_str ++KDF_F_KBKDF_DERIVE:136:kbkdf_derive ++KDF_F_KBKDF_NEW:137:kbkdf_new ++KDF_F_KDF_CIPHER2CTRL:138:kdf_cipher2ctrl + KDF_F_KDF_HKDF_DERIVE:113:kdf_hkdf_derive + KDF_F_KDF_HKDF_NEW:114:kdf_hkdf_new + KDF_F_KDF_HKDF_SIZE:115:kdf_hkdf_size +@@ -2326,6 +2331,8 @@ EVP_R_WRAP_MODE_NOT_ALLOWED:170:wrap mod + EVP_R_WRONG_FINAL_BLOCK_LENGTH:109:wrong final block length + EVP_R_XTS_DUPLICATED_KEYS:183:xts duplicated keys + KDF_R_INVALID_DIGEST:100:invalid digest ++KDF_R_INVALID_SEED_LENGTH:116:invalid seed length ++KDF_R_MISSING_CIPHER:117:missing cipher + KDF_R_MISSING_ITERATION_COUNT:109:missing iteration count + KDF_R_MISSING_KEY:104:missing key + KDF_R_MISSING_MESSAGE_DIGEST:105:missing message digest +diff -up openssl-1.1.1d/crypto/evp/kdf_lib.c.krb5-kdf openssl-1.1.1d/crypto/evp/kdf_lib.c +--- openssl-1.1.1d/crypto/evp/kdf_lib.c.krb5-kdf 2019-11-12 13:30:36.261748973 +0100 ++++ openssl-1.1.1d/crypto/evp/kdf_lib.c 2019-11-12 13:44:04.435282854 +0100 +@@ -31,6 +31,7 @@ static const EVP_KDF_METHOD *standard_me + &tls1_prf_kdf_meth, + &hkdf_kdf_meth, + &sshkdf_kdf_meth, ++ &kb_kdf_meth, + }; + + DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_KDF_METHOD *, const EVP_KDF_METHOD *, +diff -up openssl-1.1.1d/crypto/include/internal/evp_int.h.krb5-kdf openssl-1.1.1d/crypto/include/internal/evp_int.h +--- openssl-1.1.1d/crypto/include/internal/evp_int.h.krb5-kdf 2019-11-12 13:30:36.261748973 +0100 ++++ openssl-1.1.1d/crypto/include/internal/evp_int.h 2019-11-12 13:30:36.283748577 +0100 +@@ -130,6 +130,7 @@ extern const EVP_KDF_METHOD scrypt_kdf_m + extern const EVP_KDF_METHOD tls1_prf_kdf_meth; + extern const EVP_KDF_METHOD hkdf_kdf_meth; + extern const EVP_KDF_METHOD sshkdf_kdf_meth; ++extern const EVP_KDF_METHOD kb_kdf_meth; + + struct evp_md_st { + int type; +diff -up openssl-1.1.1d/crypto/kdf/build.info.krb5-kdf openssl-1.1.1d/crypto/kdf/build.info +--- openssl-1.1.1d/crypto/kdf/build.info.krb5-kdf 2019-11-12 13:30:36.261748973 +0100 ++++ openssl-1.1.1d/crypto/kdf/build.info 2019-11-12 13:30:36.284748559 +0100 +@@ -1,3 +1,3 @@ + LIBS=../../libcrypto + SOURCE[../../libcrypto]=\ +- tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c sshkdf.c ++ tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c sshkdf.c kbkdf.c +diff -up openssl-1.1.1d/crypto/kdf/kbkdf.c.krb5-kdf openssl-1.1.1d/crypto/kdf/kbkdf.c +--- openssl-1.1.1d/crypto/kdf/kbkdf.c.krb5-kdf 2019-11-12 13:30:36.284748559 +0100 ++++ openssl-1.1.1d/crypto/kdf/kbkdf.c 2019-11-12 16:09:32.828238926 +0100 +@@ -0,0 +1,530 @@ ++/* ++ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2019 Red Hat, Inc. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++/* ++ * This implements https://csrc.nist.gov/publications/detail/sp/800-108/final ++ * section 5.1 ("counter mode") and section 5.2 ("feedback mode") in both HMAC ++ * and CMAC. That document does not name the KDFs it defines; the name is ++ * derived from ++ * https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Key-Derivation ++ * ++ * Note that section 5.3 ("double-pipeline mode") is not implemented, though ++ * it would be possible to do so in the future. ++ * ++ * These versions all assume the counter is used. It would be relatively ++ * straightforward to expose a configuration handle should the need arise. ++ * ++ * Variable names attempt to match those of SP800-108. ++ */ ++ ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include ++ ++#include "internal/cryptlib.h" ++#include "internal/evp_int.h" ++#include "kdf_local.h" ++ ++#include "e_os.h" ++ ++#define MIN(a, b) ((a) < (b)) ? (a) : (b) ++ ++typedef struct { ++ int mac_type; ++ union { ++ HMAC_CTX *hmac; ++ CMAC_CTX *cmac; ++ } m; ++} MAC_CTX; ++ ++/* Our context structure. */ ++struct evp_kdf_impl_st { ++ int mode; ++ ++ MAC_CTX *ctx_init; ++ ++ const EVP_CIPHER *cipher; ++ const EVP_MD *md; ++ ++ /* Names are lowercased versions of those found in SP800-108. */ ++ unsigned char *ki; ++ size_t ki_len; ++ unsigned char *label; ++ size_t label_len; ++ unsigned char *context; ++ size_t context_len; ++ unsigned char *iv; ++ size_t iv_len; ++}; ++ ++static MAC_CTX *EVP_MAC_CTX_new(int mac_type) ++{ ++ MAC_CTX *ctx; ++ ++ ctx = OPENSSL_zalloc(sizeof(*ctx)); ++ if (ctx == NULL) ++ return NULL; ++ ++ ctx->mac_type = mac_type; ++ if (mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) { ++ if ((ctx->m.hmac = HMAC_CTX_new()) == NULL) ++ goto err; ++ } else { ++ if ((ctx->m.cmac = CMAC_CTX_new()) == NULL) ++ goto err; ++ } ++ return ctx; ++ ++err: ++ OPENSSL_free(ctx); ++ return NULL; ++} ++ ++static void EVP_MAC_CTX_free(MAC_CTX *ctx) ++{ ++ if (ctx == NULL) ++ return; ++ ++ if (ctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) ++ HMAC_CTX_free(ctx->m.hmac); ++ else ++ CMAC_CTX_free(ctx->m.cmac); ++} ++ ++static MAC_CTX *EVP_MAC_CTX_dup(MAC_CTX *sctx) ++{ ++ MAC_CTX *ctx; ++ ++ ctx = OPENSSL_zalloc(sizeof(*sctx)); ++ if (ctx == NULL) ++ return NULL; ++ ++ ctx->mac_type = sctx->mac_type; ++ if (sctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) { ++ if ((ctx->m.hmac = HMAC_CTX_new()) == NULL ++ || HMAC_CTX_copy(ctx->m.hmac, sctx->m.hmac) <= 0) ++ goto err; ++ } else { ++ if ((ctx->m.cmac = CMAC_CTX_new()) == NULL ++ || CMAC_CTX_copy(ctx->m.cmac, sctx->m.cmac) <= 0) ++ goto err; ++ } ++ return ctx; ++ ++err: ++ EVP_MAC_CTX_free(ctx); ++ return NULL; ++} ++ ++static size_t EVP_MAC_size(MAC_CTX *ctx) ++{ ++ if (ctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) { ++ const EVP_MD *md; ++ ++ if (ctx->m.hmac == NULL) ++ return 0; ++ if ((md = HMAC_CTX_get_md(ctx->m.hmac)) == NULL) ++ return 0; ++ return (size_t)EVP_MD_size(md); ++ } else { ++ const EVP_CIPHER_CTX *cctx; ++ ++ if (ctx->m.cmac == NULL) ++ return 0; ++ if ((cctx = CMAC_CTX_get0_cipher_ctx(ctx->m.cmac)) == NULL) ++ return 0; ++ return EVP_CIPHER_CTX_block_size(cctx); ++ } ++} ++ ++static int EVP_MAC_update(MAC_CTX *ctx, const unsigned char *data, ++ size_t datalen) ++{ ++ if (ctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) ++ return HMAC_Update(ctx->m.hmac, data, datalen); ++ else ++ return CMAC_Update(ctx->m.cmac, data, datalen); ++} ++ ++static int EVP_MAC_final(MAC_CTX *ctx, unsigned char *out, ++ size_t *outl, size_t outsize) ++{ ++ if (outsize != EVP_MAC_size(ctx)) ++ /* we do not cope with anything else */ ++ return 0; ++ ++ if (ctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) { ++ unsigned int intsize = (unsigned int)outsize; ++ int ret; ++ ++ ret = HMAC_Final(ctx->m.hmac, out, &intsize); ++ if (outl != NULL) ++ *outl = intsize; ++ return ret; ++ } else { ++ size_t size = outsize; ++ int ret; ++ ++ ret = CMAC_Final(ctx->m.cmac, out, &size); ++ if (outl != NULL) ++ *outl = size; ++ return ret; ++ } ++} ++ ++static int evp_mac_init(MAC_CTX *ctx, const EVP_MD *md, ++ const EVP_CIPHER *cipher, unsigned char *key, size_t keylen) ++{ ++ if (ctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) { ++ if (md == NULL) ++ return 0; ++ return HMAC_Init_ex(ctx->m.hmac, key, (int)keylen, md, NULL); ++ } else { ++ if (cipher == NULL) ++ return 0; ++ return CMAC_Init(ctx->m.cmac, key, keylen, cipher, NULL); ++ } ++} ++ ++static void kbkdf_reset(EVP_KDF_IMPL *ctx); ++ ++/* Not all platforms have htobe32(). */ ++static uint32_t be32(uint32_t host) ++{ ++ uint32_t big = 0; ++ const union { ++ long one; ++ char little; ++ } is_endian = { 1 }; ++ ++ if (!is_endian.little) ++ return host; ++ ++ big |= (host & 0xff000000) >> 24; ++ big |= (host & 0x00ff0000) >> 8; ++ big |= (host & 0x0000ff00) << 8; ++ big |= (host & 0x000000ff) << 24; ++ return big; ++} ++ ++static EVP_KDF_IMPL *kbkdf_new(void) ++{ ++ EVP_KDF_IMPL *ctx; ++ ++ ctx = OPENSSL_zalloc(sizeof(*ctx)); ++ if (ctx == NULL) { ++ KDFerr(KDF_F_KBKDF_NEW, ERR_R_MALLOC_FAILURE); ++ return NULL; ++ } ++ ++ return ctx; ++} ++ ++static void kbkdf_free(EVP_KDF_IMPL *ctx) ++{ ++ kbkdf_reset(ctx); ++ OPENSSL_free(ctx); ++} ++ ++static void kbkdf_reset(EVP_KDF_IMPL *ctx) ++{ ++ EVP_MAC_CTX_free(ctx->ctx_init); ++ OPENSSL_clear_free(ctx->context, ctx->context_len); ++ OPENSSL_clear_free(ctx->label, ctx->label_len); ++ OPENSSL_clear_free(ctx->ki, ctx->ki_len); ++ OPENSSL_clear_free(ctx->iv, ctx->iv_len); ++ memset(ctx, 0, sizeof(*ctx)); ++} ++ ++/* SP800-108 section 5.1 or section 5.2 depending on mode. */ ++static int derive(MAC_CTX *ctx_init, int mode, unsigned char *iv, ++ size_t iv_len, unsigned char *label, size_t label_len, ++ unsigned char *context, size_t context_len, ++ unsigned char *k_i, size_t h, uint32_t l, unsigned char *ko, ++ size_t ko_len) ++{ ++ int ret = 0; ++ MAC_CTX *ctx = NULL; ++ size_t written = 0, to_write, k_i_len = iv_len; ++ const unsigned char zero = 0; ++ uint32_t counter, i; ++ ++ /* Setup K(0) for feedback mode. */ ++ if (iv_len > 0) ++ memcpy(k_i, iv, iv_len); ++ ++ for (counter = 1; written < ko_len; counter++) { ++ i = be32(counter); ++ ++ ctx = EVP_MAC_CTX_dup(ctx_init); ++ if (ctx == NULL) ++ goto done; ++ ++ /* Perform feedback, if appropriate. */ ++ if (mode == EVP_KDF_KB_MODE_FEEDBACK && !EVP_MAC_update(ctx, k_i, k_i_len)) ++ goto done; ++ ++ if (!EVP_MAC_update(ctx, (unsigned char *)&i, 4) ++ || !EVP_MAC_update(ctx, label, label_len) ++ || !EVP_MAC_update(ctx, &zero, 1) ++ || !EVP_MAC_update(ctx, context, context_len) ++ || !EVP_MAC_update(ctx, (unsigned char *)&l, 4) ++ || !EVP_MAC_final(ctx, k_i, NULL, h)) ++ goto done; ++ ++ to_write = ko_len - written; ++ memcpy(ko + written, k_i, MIN(to_write, h)); ++ written += h; ++ ++ k_i_len = h; ++ EVP_MAC_CTX_free(ctx); ++ ctx = NULL; ++ } ++ ++ ret = 1; ++done: ++ EVP_MAC_CTX_free(ctx); ++ return ret; ++} ++ ++static int kbkdf_derive(EVP_KDF_IMPL *ctx, unsigned char *key, size_t keylen) ++{ ++ int ret = 0; ++ unsigned char *k_i = NULL; ++ uint32_t l = be32(keylen * 8); ++ size_t h = 0; ++ ++ /* label, context, and iv are permitted to be empty. Check everything ++ * else. */ ++ if (ctx->ctx_init == NULL ++ || evp_mac_init(ctx->ctx_init, ctx->md, ctx->cipher, ctx->ki, ctx->ki_len) <= 0) { ++ if (ctx->ki_len == 0 || ctx->ki == NULL) { ++ KDFerr(KDF_F_KBKDF_DERIVE, KDF_R_MISSING_KEY); ++ return 0; ++ } ++ /* Could either be missing MAC or missing message digest or missing ++ * cipher - arbitrarily, I pick this one. */ ++ KDFerr(KDF_F_KBKDF_DERIVE, KDF_R_MISSING_PARAMETER); ++ return 0; ++ } ++ ++ h = EVP_MAC_size(ctx->ctx_init); ++ if (h == 0) ++ goto done; ++ if (ctx->iv_len != 0 && ctx->iv_len != h) { ++ KDFerr(KDF_F_KBKDF_DERIVE, KDF_R_INVALID_SEED_LENGTH); ++ goto done; ++ } ++ ++ k_i = OPENSSL_zalloc(h); ++ if (k_i == NULL) ++ goto done; ++ ++ ret = derive(ctx->ctx_init, ctx->mode, ctx->iv, ctx->iv_len, ctx->label, ++ ctx->label_len, ctx->context, ctx->context_len, k_i, h, l, ++ key, keylen); ++done: ++ if (ret != 1) ++ OPENSSL_cleanse(key, keylen); ++ OPENSSL_clear_free(k_i, h); ++ return ret; ++} ++ ++static size_t kbkdf_size(EVP_KDF_IMPL *ctx) ++{ ++ return UINT32_MAX/8; ++} ++ ++static int kbkdf_parse_buffer_arg(unsigned char **dst, size_t *dst_len, ++ va_list args) ++{ ++ const unsigned char *p; ++ size_t len; ++ ++ p = va_arg(args, const unsigned char *); ++ len = va_arg(args, size_t); ++ OPENSSL_clear_free(*dst, *dst_len); ++ *dst = OPENSSL_memdup(p, len); ++ if (*dst == NULL) ++ return 0; ++ ++ *dst_len = len; ++ return 1; ++} ++ ++static int kbkdf_ctrl(EVP_KDF_IMPL *ctx, int cmd, va_list args) ++{ ++ int t; ++ ++ switch (cmd) { ++ case EVP_KDF_CTRL_SET_MD: ++ ctx->md = va_arg(args, const EVP_MD *); ++ if (ctx->md == NULL) ++ return 0; ++ ++ return 1; ++ ++ case EVP_KDF_CTRL_SET_CIPHER: ++ ctx->cipher = va_arg(args, const EVP_CIPHER *); ++ if (ctx->cipher == NULL) ++ return 0; ++ ++ return 1; ++ ++ case EVP_KDF_CTRL_SET_KEY: ++ return kbkdf_parse_buffer_arg(&ctx->ki, ++ &ctx->ki_len, args); ++ ++ case EVP_KDF_CTRL_SET_SALT: ++ return kbkdf_parse_buffer_arg(&ctx->label, ++ &ctx->label_len, args); ++ ++ case EVP_KDF_CTRL_SET_KB_INFO: ++ return kbkdf_parse_buffer_arg(&ctx->context, ++ &ctx->context_len, args); ++ ++ case EVP_KDF_CTRL_SET_KB_SEED: ++ return kbkdf_parse_buffer_arg(&ctx->iv, ++ &ctx->iv_len, args); ++ ++ case EVP_KDF_CTRL_SET_KB_MODE: ++ t = va_arg(args, int); ++ if (t != EVP_KDF_KB_MODE_COUNTER && t != EVP_KDF_KB_MODE_FEEDBACK ) { ++ KDFerr(KDF_F_KBKDF_CTRL, KDF_R_VALUE_ERROR); ++ return 0; ++ } ++ ctx->mode = t; ++ return 1; ++ ++ case EVP_KDF_CTRL_SET_KB_MAC_TYPE: ++ t = va_arg(args, int); ++ if (t != EVP_KDF_KB_MAC_TYPE_HMAC && t != EVP_KDF_KB_MAC_TYPE_CMAC ) { ++ KDFerr(KDF_F_KBKDF_CTRL, KDF_R_VALUE_ERROR); ++ return 0; ++ } ++ ++ if (ctx->ctx_init != NULL) { ++ EVP_MAC_CTX_free(ctx->ctx_init); ++ } ++ ctx->ctx_init = EVP_MAC_CTX_new(t); ++ if (ctx->ctx_init == NULL) { ++ KDFerr(KDF_F_KBKDF_CTRL, ERR_R_MALLOC_FAILURE); ++ return 0; ++ } ++ return 1; ++ ++ default: ++ return -2; ++ ++ } ++} ++ ++static int kbkdf_ctrl_str(EVP_KDF_IMPL *ctx, const char *type, ++ const char *value) ++{ ++ if (value == NULL) { ++ KDFerr(KDF_F_KDF_SSHKDF_CTRL_STR, KDF_R_VALUE_MISSING); ++ return 0; ++ } ++ ++ if (strcmp(type, "digest") == 0) ++ return kdf_md2ctrl(ctx, kbkdf_ctrl, EVP_KDF_CTRL_SET_MD, value); ++ /* alias, for historical reasons */ ++ if (strcmp(type, "md") == 0) ++ return kdf_md2ctrl(ctx, kbkdf_ctrl, EVP_KDF_CTRL_SET_MD, value); ++ ++ if (strcmp(type, "cipher") == 0) ++ return kdf_cipher2ctrl(ctx, kbkdf_ctrl, EVP_KDF_CTRL_SET_CIPHER, value); ++ ++ if (strcmp(type, "key") == 0) ++ return kdf_str2ctrl(ctx, kbkdf_ctrl, ++ EVP_KDF_CTRL_SET_KEY, value); ++ ++ if (strcmp(type, "hexkey") == 0) ++ return kdf_hex2ctrl(ctx, kbkdf_ctrl, ++ EVP_KDF_CTRL_SET_KEY, value); ++ ++ if (strcmp(type, "salt") == 0) ++ return kdf_str2ctrl(ctx, kbkdf_ctrl, ++ EVP_KDF_CTRL_SET_SALT, value); ++ ++ if (strcmp(type, "hexsalt") == 0) ++ return kdf_hex2ctrl(ctx, kbkdf_ctrl, ++ EVP_KDF_CTRL_SET_SALT, value); ++ ++ if (strcmp(type, "info") == 0) ++ return kdf_str2ctrl(ctx, kbkdf_ctrl, ++ EVP_KDF_CTRL_SET_KB_INFO, value); ++ ++ if (strcmp(type, "hexinfo") == 0) ++ return kdf_hex2ctrl(ctx, kbkdf_ctrl, ++ EVP_KDF_CTRL_SET_KB_INFO, value); ++ ++ if (strcmp(type, "seed") == 0) ++ return kdf_str2ctrl(ctx, kbkdf_ctrl, ++ EVP_KDF_CTRL_SET_KB_SEED, value); ++ ++ if (strcmp(type, "hexseed") == 0) ++ return kdf_hex2ctrl(ctx, kbkdf_ctrl, ++ EVP_KDF_CTRL_SET_KB_SEED, value); ++ ++ if (strcmp(type, "mode") == 0) { ++ int mode; ++ ++ if (strcasecmp(value, "counter") == 0) { ++ mode = EVP_KDF_KB_MODE_COUNTER; ++ } else if (strcasecmp(value, "feedback") == 0) { ++ mode = EVP_KDF_KB_MODE_FEEDBACK; ++ } else { ++ KDFerr(KDF_F_KBKDF_CTRL_STR, KDF_R_VALUE_ERROR); ++ return 0; ++ } ++ ++ return call_ctrl(kbkdf_ctrl, ctx, EVP_KDF_CTRL_SET_KB_MODE, ++ mode); ++ } ++ ++ if (strcmp(type, "mac_type") == 0) { ++ int mac_type; ++ ++ if (strcasecmp(value, "hmac") == 0) { ++ mac_type = EVP_KDF_KB_MAC_TYPE_HMAC; ++ } else if (strcasecmp(value, "cmac") == 0) { ++ mac_type = EVP_KDF_KB_MAC_TYPE_CMAC; ++ } else { ++ KDFerr(KDF_F_KBKDF_CTRL_STR, KDF_R_VALUE_ERROR); ++ return 0; ++ } ++ ++ return call_ctrl(kbkdf_ctrl, ctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, ++ mac_type); ++ } ++ ++ KDFerr(KDF_F_KBKDF_CTRL_STR, KDF_R_UNKNOWN_PARAMETER_TYPE); ++ return -2; ++} ++ ++ ++const EVP_KDF_METHOD kb_kdf_meth = { ++ EVP_KDF_KB, ++ kbkdf_new, ++ kbkdf_free, ++ kbkdf_reset, ++ kbkdf_ctrl, ++ kbkdf_ctrl_str, ++ kbkdf_size, ++ kbkdf_derive, ++}; ++ +diff -up openssl-1.1.1d/crypto/kdf/kdf_err.c.krb5-kdf openssl-1.1.1d/crypto/kdf/kdf_err.c +--- openssl-1.1.1d/crypto/kdf/kdf_err.c.krb5-kdf 2019-11-12 13:30:36.262748955 +0100 ++++ openssl-1.1.1d/crypto/kdf/kdf_err.c 2019-11-12 13:30:36.284748559 +0100 +@@ -15,6 +15,11 @@ + + static const ERR_STRING_DATA KDF_str_functs[] = { + {ERR_PACK(ERR_LIB_KDF, KDF_F_HKDF_EXTRACT, 0), "HKDF_Extract"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KBKDF_CTRL, 0), "kbkdf_ctrl"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KBKDF_CTRL_STR, 0), "kbkdf_ctrl_str"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KBKDF_DERIVE, 0), "kbkdf_derive"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KBKDF_NEW, 0), "kbkdf_new"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_CIPHER2CTRL, 0), "kdf_cipher2ctrl"}, + {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_DERIVE, 0), "kdf_hkdf_derive"}, + {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_NEW, 0), "kdf_hkdf_new"}, + {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_SIZE, 0), "kdf_hkdf_size"}, +@@ -64,7 +69,9 @@ static const ERR_STRING_DATA KDF_str_fun + }; + + static const ERR_STRING_DATA KDF_str_reasons[] = { ++ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_INVALID_CIPHER), "invalid cipher"}, + {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_INVALID_DIGEST), "invalid digest"}, ++ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_INVALID_SEED_LENGTH), "invalid seed length"}, + {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_ITERATION_COUNT), + "missing iteration count"}, + {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_KEY), "missing key"}, +diff -up openssl-1.1.1d/crypto/kdf/kdf_local.h.krb5-kdf openssl-1.1.1d/crypto/kdf/kdf_local.h +--- openssl-1.1.1d/crypto/kdf/kdf_local.h.krb5-kdf 2019-11-12 13:30:36.253749117 +0100 ++++ openssl-1.1.1d/crypto/kdf/kdf_local.h 2019-11-12 13:30:36.284748559 +0100 +@@ -19,4 +19,6 @@ int kdf_hex2ctrl(EVP_KDF_IMPL *impl, + int kdf_md2ctrl(EVP_KDF_IMPL *impl, + int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), + int cmd, const char *md_name); +- ++int kdf_cipher2ctrl(EVP_KDF_IMPL *impl, ++ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), ++ int cmd, const char *cipher_name); +diff -up openssl-1.1.1d/crypto/kdf/kdf_util.c.krb5-kdf openssl-1.1.1d/crypto/kdf/kdf_util.c +--- openssl-1.1.1d/crypto/kdf/kdf_util.c.krb5-kdf 2019-11-12 13:30:36.253749117 +0100 ++++ openssl-1.1.1d/crypto/kdf/kdf_util.c 2019-11-12 13:30:36.284748559 +0100 +@@ -71,3 +71,16 @@ int kdf_md2ctrl(EVP_KDF_IMPL *impl, + return call_ctrl(ctrl, impl, cmd, md); + } + ++/* Pass a cipher to a ctrl */ ++int kdf_cipher2ctrl(EVP_KDF_IMPL *impl, ++ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), ++ int cmd, const char *cipher_name) ++{ ++ const EVP_CIPHER *cipher; ++ ++ if (cipher_name == NULL || (cipher = EVP_get_cipherbyname(cipher_name)) == NULL) { ++ KDFerr(KDF_F_KDF_CIPHER2CTRL, KDF_R_INVALID_CIPHER); ++ return 0; ++ } ++ return call_ctrl(ctrl, impl, cmd, cipher); ++} +diff -up openssl-1.1.1d/crypto/objects/obj_dat.h.krb5-kdf openssl-1.1.1d/crypto/objects/obj_dat.h +--- openssl-1.1.1d/crypto/objects/obj_dat.h.krb5-kdf 2019-11-12 13:30:36.263748937 +0100 ++++ openssl-1.1.1d/crypto/objects/obj_dat.h 2019-11-12 13:30:36.285748541 +0100 +@@ -1078,7 +1078,7 @@ static const unsigned char so[7762] = { + 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0D, /* [ 7753] OBJ_hmacWithSHA512_256 */ + }; + +-#define NUM_NID 1196 ++#define NUM_NID 1197 + static const ASN1_OBJECT nid_objs[NUM_NID] = { + {"UNDEF", "undefined", NID_undef}, + {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]}, +@@ -2276,9 +2276,10 @@ static const ASN1_OBJECT nid_objs[NUM_NI + {"hmacWithSHA512-224", "hmacWithSHA512-224", NID_hmacWithSHA512_224, 8, &so[7745]}, + {"hmacWithSHA512-256", "hmacWithSHA512-256", NID_hmacWithSHA512_256, 8, &so[7753]}, + {"SSHKDF", "sshkdf", NID_sshkdf}, ++ {"KBKDF", "kbkdf", NID_kbkdf}, + }; + +-#define NUM_SN 1187 ++#define NUM_SN 1188 + static const unsigned int sn_objs[NUM_SN] = { + 364, /* "AD_DVCS" */ + 419, /* "AES-128-CBC" */ +@@ -2442,6 +2443,7 @@ static const unsigned int sn_objs[NUM_SN + 183, /* "ISO-US" */ + 645, /* "ITU-T" */ + 646, /* "JOINT-ISO-ITU-T" */ ++ 1196, /* "KBKDF" */ + 773, /* "KISA" */ + 1063, /* "KxANY" */ + 1039, /* "KxDHE" */ +@@ -3469,7 +3471,7 @@ static const unsigned int sn_objs[NUM_SN + 1093, /* "x509ExtAdmission" */ + }; + +-#define NUM_LN 1187 ++#define NUM_LN 1188 + static const unsigned int ln_objs[NUM_LN] = { + 363, /* "AD Time Stamping" */ + 405, /* "ANSI X9.62" */ +@@ -4262,6 +4264,7 @@ static const unsigned int ln_objs[NUM_LN + 957, /* "jurisdictionCountryName" */ + 955, /* "jurisdictionLocalityName" */ + 956, /* "jurisdictionStateOrProvinceName" */ ++ 1196, /* "kbkdf" */ + 150, /* "keyBag" */ + 773, /* "kisa" */ + 1063, /* "kx-any" */ +diff -up openssl-1.1.1d/crypto/objects/objects.txt.krb5-kdf openssl-1.1.1d/crypto/objects/objects.txt +--- openssl-1.1.1d/crypto/objects/objects.txt.krb5-kdf 2019-11-12 13:30:36.263748937 +0100 ++++ openssl-1.1.1d/crypto/objects/objects.txt 2019-11-12 13:30:36.286748523 +0100 +@@ -1603,6 +1603,9 @@ secg-scheme 14 3 : dhSinglePass-cofactor + # NID for SSHKDF + : SSHKDF : sshkdf + ++# NID for KBKDF ++ : KBKDF : kbkdf ++ + # RFC 4556 + 1 3 6 1 5 2 3 : id-pkinit + id-pkinit 4 : pkInitClientAuth : PKINIT Client Auth +diff -up openssl-1.1.1d/crypto/objects/obj_mac.num.krb5-kdf openssl-1.1.1d/crypto/objects/obj_mac.num +--- openssl-1.1.1d/crypto/objects/obj_mac.num.krb5-kdf 2019-11-12 13:30:36.263748937 +0100 ++++ openssl-1.1.1d/crypto/objects/obj_mac.num 2019-11-12 13:30:36.286748523 +0100 +@@ -1193,3 +1193,4 @@ magma_mac 1192 + hmacWithSHA512_224 1193 + hmacWithSHA512_256 1194 + sshkdf 1195 ++kbkdf 1196 +diff -up openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod.krb5-kdf openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod +--- openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod.krb5-kdf 2019-11-12 13:30:36.254749099 +0100 ++++ openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod 2019-11-12 13:30:36.286748523 +0100 +@@ -140,7 +140,14 @@ The value string is expected to be a dec + This control expects one argument: C + + For MAC implementations that use a message digest as an underlying computation +-algorithm, this control set what the digest algorithm should be. ++algorithm, this control sets what the digest algorithm should be. ++ ++=item B ++ ++This control expects one argument: C ++ ++For MAC implementations that use a cipher as an underlying computation ++algorithm, this control sets what the cipher algorithm should be. + + EVP_KDF_ctrl_str() type string: "md" + +diff -up openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod.krb5-kdf openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod +--- openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod.krb5-kdf 2019-11-12 13:30:36.286748523 +0100 ++++ openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod 2019-11-12 13:30:36.286748523 +0100 +@@ -0,0 +1,177 @@ ++=pod ++ ++=head1 NAME ++ ++EVP_KDF_KB - The Key-Based EVP_KDF implementation ++ ++=head1 DESCRIPTION ++ ++The EVP_KDF_KB algorithm implements the Key-Based key derivation function ++(KBKDF). KBKDF derives a key from repeated application of a keyed MAC to an ++input secret (and other optional values). ++ ++=head2 Numeric identity ++ ++B is the numeric identity for this implementation; it can be used with the ++EVP_KDF_CTX_new_id() function. ++ ++=head2 Supported controls ++ ++The supported controls are: ++ ++=over 4 ++ ++=item B ++ ++This control expects one argument: C ++ ++Sets the mode for the KBKDF operation. There are two supported modes: ++ ++=over 4 ++ ++=item B ++ ++The counter mode of KBKDF should be used. This is the default. ++ ++=item B ++ ++The feedback mode of KBKDF should be used. ++ ++=back ++ ++=item B ++ ++This control expects one argument: C ++ ++Sets the mac type for the KBKDF operation. There are two supported mac types: ++ ++=over 4 ++ ++=item B ++ ++The HMAC with the digest set by B should be used as the mac. ++ ++=item B ++ ++The CMAC with the cipher set by B should be used as the mac. ++ ++=back ++ ++=item B ++ ++=item B ++ ++=item B ++ ++=item B ++ ++These controls work as described in L. ++ ++=item B ++ ++This control expects two arguments: C, C ++ ++=item B ++ ++This control expects two arguments: C, C ++ ++It is used only in the feedback mode and the length must be the same ++as the block length of the cipher in CMAC or the size of the digest in HMAC. ++ ++=back ++ ++The controls B, B, ++B, and B ++correspond to KI, Label, Context, and IV (respectively) in SP800-108. ++As in that document, salt, info, and seed are optional and may be ++omitted. ++ ++Depending on whether mac is CMAC or HMAC, either digest or cipher is ++required (respectively) and the other is unused. ++ ++=head1 NOTES ++ ++A context for KBKDF can be obtained by calling: ++ ++ EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB); ++ ++The output length of an KBKDF is specified via the C ++parameter to the L function. ++ ++Note that currently OpenSSL only implements counter and feedback modes. Other ++variants may be supported in the future. ++ ++=head1 EXAMPLES ++ ++This example derives 10 bytes using COUNTER-HMAC-SHA256, with KI "secret", ++Label "label", and Context "context". ++ ++ EVP_KDF_CTX *kctx; ++ unsigned char out[10]; ++ ++ kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB); ++ ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_HMAC); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", strlen("secret")); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "label", strlen("label")); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, "context", strlen("context")); ++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) ++ error("EVP_KDF_derive"); ++ ++ EVP_KDF_CTX_free(kctx); ++ ++This example derives 10 bytes using FEEDBACK-CMAC-AES256, with KI "secret", ++Label "label", Context "context", and IV "sixteen bytes iv". ++ ++ EVP_KDF_CTX *kctx; ++ unsigned char out[10]; ++ unsigned char *iv = "sixteen bytes iv"; ++ ++ kdf = EVP_KDF_fetch(NULL, "KBKDF", NULL); ++ kctx = EVP_KDF_CTX_new(kdf); ++ EVP_KDF_free(kdf); ++ ++ kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB); ++ ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_CIPHER, EVP_aes_256_ecb()); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_CMAC); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MODE, EVP_KDF_KB_MODE_FEEDBACK); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", strlen("secret")); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "label", strlen("label")); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, "context", strlen("context")); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_SEED, iv, strlen(iv)); ++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) ++ error("EVP_KDF_derive"); ++ ++ EVP_KDF_CTX_free(kctx); ++ ++=head1 CONFORMING TO ++ ++NIST SP800-108, IETF RFC 6803, IETF RFC 8009. ++ ++=head1 SEE ALSO ++ ++L, ++L, ++L, ++L, ++L, ++L, ++L ++ ++=head1 HISTORY ++ ++This functionality was added to OpenSSL 3.0. ++ ++=head1 COPYRIGHT ++ ++Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. ++Copyright 2019 Red Hat, Inc. ++ ++Licensed under the Apache License 2.0 (the "License"). You may not use ++this file except in compliance with the License. You can obtain a copy ++in the file LICENSE in the source distribution or at ++L. ++ ++=cut +diff -up openssl-1.1.1d/include/openssl/kdferr.h.krb5-kdf openssl-1.1.1d/include/openssl/kdferr.h +--- openssl-1.1.1d/include/openssl/kdferr.h.krb5-kdf 2019-11-12 13:30:36.264748919 +0100 ++++ openssl-1.1.1d/include/openssl/kdferr.h 2019-11-12 13:30:36.286748523 +0100 +@@ -24,6 +24,11 @@ int ERR_load_KDF_strings(void); + * KDF function codes. + */ + # define KDF_F_HKDF_EXTRACT 112 ++# define KDF_F_KBKDF_CTRL 134 ++# define KDF_F_KBKDF_CTRL_STR 135 ++# define KDF_F_KBKDF_DERIVE 136 ++# define KDF_F_KBKDF_NEW 137 ++# define KDF_F_KDF_CIPHER2CTRL 138 + # define KDF_F_KDF_HKDF_DERIVE 113 + # define KDF_F_KDF_HKDF_NEW 114 + # define KDF_F_KDF_HKDF_SIZE 115 +@@ -61,7 +66,9 @@ int ERR_load_KDF_strings(void); + /* + * KDF reason codes. + */ ++# define KDF_R_INVALID_CIPHER 116 + # define KDF_R_INVALID_DIGEST 100 ++# define KDF_R_INVALID_SEED_LENGTH 117 + # define KDF_R_MISSING_ITERATION_COUNT 109 + # define KDF_R_MISSING_KEY 104 + # define KDF_R_MISSING_MESSAGE_DIGEST 105 +diff -up openssl-1.1.1d/include/openssl/kdf.h.krb5-kdf openssl-1.1.1d/include/openssl/kdf.h +--- openssl-1.1.1d/include/openssl/kdf.h.krb5-kdf 2019-11-12 13:30:36.263748937 +0100 ++++ openssl-1.1.1d/include/openssl/kdf.h 2019-11-12 13:30:36.287748505 +0100 +@@ -21,6 +21,7 @@ extern "C" { + # define EVP_KDF_TLS1_PRF NID_tls1_prf + # define EVP_KDF_HKDF NID_hkdf + # define EVP_KDF_SSHKDF NID_sshkdf ++# define EVP_KDF_KB NID_kbkdf + + EVP_KDF_CTX *EVP_KDF_CTX_new_id(int id); + void EVP_KDF_CTX_free(EVP_KDF_CTX *ctx); +@@ -51,6 +52,11 @@ int EVP_KDF_derive(EVP_KDF_CTX *ctx, uns + # define EVP_KDF_CTRL_SET_SSHKDF_XCGHASH 0x10 /* unsigned char *, size_t */ + # define EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID 0x11 /* unsigned char *, size_t */ + # define EVP_KDF_CTRL_SET_SSHKDF_TYPE 0x12 /* int */ ++# define EVP_KDF_CTRL_SET_KB_MODE 0x13 /* int */ ++# define EVP_KDF_CTRL_SET_KB_MAC_TYPE 0x14 /* int */ ++# define EVP_KDF_CTRL_SET_CIPHER 0x15 /* EVP_CIPHER * */ ++# define EVP_KDF_CTRL_SET_KB_INFO 0x16 /* unsigned char *, size_t */ ++# define EVP_KDF_CTRL_SET_KB_SEED 0x17 /* unsigned char *, size_t */ + + # define EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND 0 + # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1 +@@ -63,6 +69,12 @@ int EVP_KDF_derive(EVP_KDF_CTX *ctx, uns + #define EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_CLI_TO_SRV 69 + #define EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI 70 + ++#define EVP_KDF_KB_MODE_COUNTER 0 ++#define EVP_KDF_KB_MODE_FEEDBACK 1 ++ ++#define EVP_KDF_KB_MAC_TYPE_HMAC 0 ++#define EVP_KDF_KB_MAC_TYPE_CMAC 1 ++ + /**** The legacy PKEY-based KDF API follows. ****/ + + # define EVP_PKEY_CTRL_TLS_MD (EVP_PKEY_ALG_CTRL) +diff -up openssl-1.1.1d/include/openssl/obj_mac.h.krb5-kdf openssl-1.1.1d/include/openssl/obj_mac.h +--- openssl-1.1.1d/include/openssl/obj_mac.h.krb5-kdf 2019-11-12 13:30:36.264748919 +0100 ++++ openssl-1.1.1d/include/openssl/obj_mac.h 2019-11-12 13:30:36.287748505 +0100 +@@ -4974,6 +4974,10 @@ + #define LN_sshkdf "sshkdf" + #define NID_sshkdf 1203 + ++#define SN_kbkdf "KBKDF" ++#define LN_kbkdf "kbkdf" ++#define NID_kbkdf 1204 ++ + #define SN_id_pkinit "id-pkinit" + #define NID_id_pkinit 1031 + #define OBJ_id_pkinit 1L,3L,6L,1L,5L,2L,3L +diff -up openssl-1.1.1d/test/evp_kdf_test.c.krb5-kdf openssl-1.1.1d/test/evp_kdf_test.c +--- openssl-1.1.1d/test/evp_kdf_test.c.krb5-kdf 2019-11-12 13:30:36.257749045 +0100 ++++ openssl-1.1.1d/test/evp_kdf_test.c 2019-11-12 16:35:19.265237664 +0100 +@@ -225,8 +225,261 @@ err: + } + #endif + ++/* ++ * KBKDF test vectors from RFC 6803 (Camellia Encryption for Kerberos 5) ++ * section 10. ++ */ ++static int test_kdf_kbkdf_6803_128(void) ++{ ++ int ret = 0, i; ++ EVP_KDF_CTX *kctx; ++ static unsigned char input_key[] = { ++ 0x57, 0xD0, 0x29, 0x72, 0x98, 0xFF, 0xD9, 0xD3, ++ 0x5D, 0xE5, 0xA4, 0x7F, 0xB4, 0xBD, 0xE2, 0x4B, ++ }; ++ static unsigned char constants[][5] = { ++ { 0x00, 0x00, 0x00, 0x02, 0x99 }, ++ { 0x00, 0x00, 0x00, 0x02, 0xaa }, ++ { 0x00, 0x00, 0x00, 0x02, 0x55 }, ++ }; ++ static unsigned char outputs[][16] = { ++ {0xD1, 0x55, 0x77, 0x5A, 0x20, 0x9D, 0x05, 0xF0, ++ 0x2B, 0x38, 0xD4, 0x2A, 0x38, 0x9E, 0x5A, 0x56}, ++ {0x64, 0xDF, 0x83, 0xF8, 0x5A, 0x53, 0x2F, 0x17, ++ 0x57, 0x7D, 0x8C, 0x37, 0x03, 0x57, 0x96, 0xAB}, ++ {0x3E, 0x4F, 0xBD, 0xF3, 0x0F, 0xB8, 0x25, 0x9C, ++ 0x42, 0x5C, 0xB6, 0xC9, 0x6F, 0x1F, 0x46, 0x35} ++ }; ++ static unsigned char iv[16] = { 0 }; ++ unsigned char result[16] = { 0 }; ++ ++ for (i = 0; i < 3; i++) { ++ ret = 0; ++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) { ++ TEST_error("EVP_KDF_KB"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_CMAC) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KB_MAC_TYPE"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MODE, EVP_KDF_KB_MODE_FEEDBACK) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KB_MODE"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_CIPHER, EVP_camellia_128_cbc()) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_CIPHER"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KEY"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, constants[i], sizeof(constants[i])) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_SALT"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_SEED, iv, sizeof(iv)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KB_SEED"); ++ goto err; ++ } ++ ret = TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0) ++ && TEST_mem_eq(result, sizeof(result), outputs[i], ++ sizeof(outputs[i])); ++err: ++ EVP_KDF_CTX_free(kctx); ++ if (ret != 1) ++ return ret; ++ } ++ return ret; ++} ++ ++static int test_kdf_kbkdf_6803_256(void) ++{ ++ int ret = 0, i; ++ EVP_KDF_CTX *kctx; ++ static unsigned char input_key[] = { ++ 0xB9, 0xD6, 0x82, 0x8B, 0x20, 0x56, 0xB7, 0xBE, ++ 0x65, 0x6D, 0x88, 0xA1, 0x23, 0xB1, 0xFA, 0xC6, ++ 0x82, 0x14, 0xAC, 0x2B, 0x72, 0x7E, 0xCF, 0x5F, ++ 0x69, 0xAF, 0xE0, 0xC4, 0xDF, 0x2A, 0x6D, 0x2C, ++ }; ++ static unsigned char constants[][5] = { ++ { 0x00, 0x00, 0x00, 0x02, 0x99 }, ++ { 0x00, 0x00, 0x00, 0x02, 0xaa }, ++ { 0x00, 0x00, 0x00, 0x02, 0x55 }, ++ }; ++ static unsigned char outputs[][32] = { ++ {0xE4, 0x67, 0xF9, 0xA9, 0x55, 0x2B, 0xC7, 0xD3, ++ 0x15, 0x5A, 0x62, 0x20, 0xAF, 0x9C, 0x19, 0x22, ++ 0x0E, 0xEE, 0xD4, 0xFF, 0x78, 0xB0, 0xD1, 0xE6, ++ 0xA1, 0x54, 0x49, 0x91, 0x46, 0x1A, 0x9E, 0x50, ++ }, ++ {0x41, 0x2A, 0xEF, 0xC3, 0x62, 0xA7, 0x28, 0x5F, ++ 0xC3, 0x96, 0x6C, 0x6A, 0x51, 0x81, 0xE7, 0x60, ++ 0x5A, 0xE6, 0x75, 0x23, 0x5B, 0x6D, 0x54, 0x9F, ++ 0xBF, 0xC9, 0xAB, 0x66, 0x30, 0xA4, 0xC6, 0x04, ++ }, ++ {0xFA, 0x62, 0x4F, 0xA0, 0xE5, 0x23, 0x99, 0x3F, ++ 0xA3, 0x88, 0xAE, 0xFD, 0xC6, 0x7E, 0x67, 0xEB, ++ 0xCD, 0x8C, 0x08, 0xE8, 0xA0, 0x24, 0x6B, 0x1D, ++ 0x73, 0xB0, 0xD1, 0xDD, 0x9F, 0xC5, 0x82, 0xB0, ++ }, ++ }; ++ static unsigned char iv[16] = { 0 }; ++ unsigned char result[32] = { 0 }; ++ ++ for (i = 0; i < 3; i++) { ++ ret = 0; ++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) { ++ TEST_error("EVP_KDF_KB"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_CMAC) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KB_MAC_TYPE"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MODE, EVP_KDF_KB_MODE_FEEDBACK) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KB_MODE"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_CIPHER, EVP_camellia_256_cbc()) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_CIPHER"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KEY"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, constants[i], sizeof(constants[i])) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_SALT"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_SEED, iv, sizeof(iv)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KB_SEED"); ++ goto err; ++ } ++ ret = TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0) ++ && TEST_mem_eq(result, sizeof(result), outputs[i], ++ sizeof(outputs[i])); ++err: ++ EVP_KDF_CTX_free(kctx); ++ if (ret != 1) ++ return ret; ++ } ++ return ret; ++} ++ ++/* Two test vectors from RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos ++ * 5) appendix A. */ ++static int test_kdf_kbkdf_8009_prf1(void) ++{ ++ int ret = 0; ++ EVP_KDF_CTX *kctx; ++ char *label = "prf", *prf_input = "test"; ++ static unsigned char input_key[] = { ++ 0x37, 0x05, 0xD9, 0x60, 0x80, 0xC1, 0x77, 0x28, ++ 0xA0, 0xE8, 0x00, 0xEA, 0xB6, 0xE0, 0xD2, 0x3C, ++ }; ++ static unsigned char output[] = { ++ 0x9D, 0x18, 0x86, 0x16, 0xF6, 0x38, 0x52, 0xFE, ++ 0x86, 0x91, 0x5B, 0xB8, 0x40, 0xB4, 0xA8, 0x86, ++ 0xFF, 0x3E, 0x6B, 0xB0, 0xF8, 0x19, 0xB4, 0x9B, ++ 0x89, 0x33, 0x93, 0xD3, 0x93, 0x85, 0x42, 0x95, ++ }; ++ unsigned char result[sizeof(output)] = { 0 }; ++ ++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) { ++ TEST_error("EVP_KDF_KB"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_HMAC) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KB_MAC_TYPE"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_MD"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KEY"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, label, strlen(label)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_SALT"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, prf_input, strlen(prf_input)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KB_INFO"); ++ goto err; ++ } ++ ret = TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0) ++ && TEST_mem_eq(result, sizeof(result), output, ++ sizeof(output)); ++err: ++ EVP_KDF_CTX_free(kctx); ++ return ret; ++} ++ ++static int test_kdf_kbkdf_8009_prf2(void) ++{ ++ int ret = 0; ++ EVP_KDF_CTX *kctx; ++ char *label = "prf", *prf_input = "test"; ++ static unsigned char input_key[] = { ++ 0x6D, 0x40, 0x4D, 0x37, 0xFA, 0xF7, 0x9F, 0x9D, ++ 0xF0, 0xD3, 0x35, 0x68, 0xD3, 0x20, 0x66, 0x98, ++ 0x00, 0xEB, 0x48, 0x36, 0x47, 0x2E, 0xA8, 0xA0, ++ 0x26, 0xD1, 0x6B, 0x71, 0x82, 0x46, 0x0C, 0x52, ++ }; ++ static unsigned char output[] = { ++ 0x98, 0x01, 0xF6, 0x9A, 0x36, 0x8C, 0x2B, 0xF6, ++ 0x75, 0xE5, 0x95, 0x21, 0xE1, 0x77, 0xD9, 0xA0, ++ 0x7F, 0x67, 0xEF, 0xE1, 0xCF, 0xDE, 0x8D, 0x3C, ++ 0x8D, 0x6F, 0x6A, 0x02, 0x56, 0xE3, 0xB1, 0x7D, ++ 0xB3, 0xC1, 0xB6, 0x2A, 0xD1, 0xB8, 0x55, 0x33, ++ 0x60, 0xD1, 0x73, 0x67, 0xEB, 0x15, 0x14, 0xD2, ++ }; ++ unsigned char result[sizeof(output)] = { 0 }; ++ ++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) { ++ TEST_error("EVP_KDF_KB"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_HMAC) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KB_MAC_TYPE"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha384()) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_MD"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KEY"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, label, strlen(label)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_SALT"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, prf_input, strlen(prf_input)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KB_INFO"); ++ goto err; ++ } ++ ret = TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0) ++ && TEST_mem_eq(result, sizeof(result), output, ++ sizeof(output)); ++err: ++ EVP_KDF_CTX_free(kctx); ++ return ret; ++} ++ + int setup_tests(void) + { ++ ADD_TEST(test_kdf_kbkdf_6803_128); ++ ADD_TEST(test_kdf_kbkdf_6803_256); ++ ADD_TEST(test_kdf_kbkdf_8009_prf1); ++ ADD_TEST(test_kdf_kbkdf_8009_prf2); + ADD_TEST(test_kdf_tls1_prf); + ADD_TEST(test_kdf_hkdf); + ADD_TEST(test_kdf_pbkdf2);